Add initial networking support #55

l0kod · 2024-01-10T16:09:46Z

Linux 6.7 adds an initial Landlock network support with TCP bind and connect restrictions.

l0kod · 2024-06-03T12:57:01Z

I still need to address a few TODOs but the main changes should work fine.

I'd like to leverage the type system for the port check (instead of the runtime check) but I'm still thinking about a proper API.

l0kod · 2024-06-10T14:23:14Z

I'd like to leverage the type system for the port check (instead of the runtime check) but I'm still thinking about a proper API.

I switched to u16 ports and removed the PortOverflow error. We'll add new methods with other integer types (and related overflow error) if needed.

Prepare crate for networking support, and run all tests against Linux 6.7.1 that supports Landlock ABI 4 Signed-off-by: Mickaël Salaün <mic@digikod.net>

Add the AccessNet::BindTcp and AccessNet::ConnectTcp rights. Add ruleset_created_handle_access_net test to check that handled and actual access rights are consistent according to the Landlock ABI. Rename the ruleset_created_handle_access_or test to ruleset_created_handle_access_fs. It should be noted that handle_access(AccessNet::from_all(ABI::V3)) returns an error because of the empty access bitflags. Signed-off-by: Mickaël Salaün <mic@digikod.net>

The NetPort type enables us to create network port rules leveraging Landlock ABI 4. Only 16-bit ports are allowed by the type system, which remove the need for overflow check and error. Add related tests, and handle E2BIG when the handled_access_net field is set and the running kernel does not support it. Signed-off-by: Mickaël Salaün <mic@digikod.net>

Bump to Landlock ABI v4. Tested that this sandbox doesn't restrict TCP: LL_FS_RO=/ LL_FS_RW=/ \ cargo run --example=sandboxer bash -i Tested that this sandbox restrict bind and connect ports: LL_FS_RO=/ LL_FS_RW=/ LL_TCP_BIND="2000" LL_TCP_CONNECT="3000:4000" \ cargo run --example=sandboxer bash -i Test commands (with different ports): socat tcp-listen:2000 stdio date | socat stdio tcp-connect:127.1:2000 Signed-off-by: Mickaël Salaün <mic@digikod.net>

l0kod · 2024-06-12T07:56:07Z

I'll release a new version of this crate tomorrow if no issue is reported.

l0kod · 2024-06-19T09:29:44Z

That was a long ride, but it's now published! 🥳

As you can see, this was due to some refactoring to generalize the internal library code for the new class of access rights and rule (network). This investment will greatly simplify the implementation of future changes.

As described in the changelog, you'll need to update Cargo.toml with the 0.4.0 version of this crate.

l0kod force-pushed the tcp branch 2 times, most recently from eff6566 to ca536b0 Compare January 24, 2024 15:57

l0kod mentioned this pull request Jan 24, 2024

Update UAPI to Linux 6.7 #56

Merged

l0kod closed this Jan 24, 2024

l0kod force-pushed the tcp branch from ca536b0 to 89797a0 Compare January 24, 2024 16:08

l0kod reopened this Jan 24, 2024

l0kod force-pushed the tcp branch from 5c670ae to ec37451 Compare January 24, 2024 16:15

l0kod mentioned this pull request Jan 31, 2024

Import Linux 6.7 landlock-lsm/landlock-test-tools#1

Closed

l0kod force-pushed the tcp branch 4 times, most recently from 2469121 to 4ea35a2 Compare February 13, 2024 15:14

l0kod force-pushed the tcp branch from 4ea35a2 to a6d8637 Compare March 19, 2024 18:25

l0kod mentioned this pull request Apr 2, 2024

Support Landlock ABI V4 #64

Closed

l0kod force-pushed the tcp branch from a6d8637 to e8e888c Compare April 3, 2024 15:08

l0kod mentioned this pull request May 31, 2024

Improve PrivateRule trait #65

Merged

l0kod force-pushed the tcp branch 2 times, most recently from 9afb670 to 1bebfdd Compare May 31, 2024 15:26

l0kod mentioned this pull request May 31, 2024

Move from_read() and from_write() into AccessFs #66

Merged

l0kod force-pushed the tcp branch from 1bebfdd to 547190c Compare May 31, 2024 16:06

l0kod mentioned this pull request Jun 3, 2024

Update error priority and no_new_privs behavior #67

Merged

l0kod marked this pull request as ready for review June 3, 2024 12:52

l0kod force-pushed the tcp branch from 547190c to 77dfd70 Compare June 3, 2024 12:52

l0kod force-pushed the tcp branch from 77dfd70 to 9401e70 Compare June 10, 2024 14:21

l0kod force-pushed the tcp branch from 9401e70 to 842ee5c Compare June 11, 2024 11:46

l0kod added 2 commits June 11, 2024 17:01

src,ci: Handle Landlock ABI v4

c1fef29

Prepare crate for networking support, and run all tests against Linux 6.7.1 that supports Landlock ABI 4 Signed-off-by: Mickaël Salaün <mic@digikod.net>

l0kod force-pushed the tcp branch from 842ee5c to 9ced35a Compare June 11, 2024 15:28

l0kod force-pushed the tcp branch from 9ced35a to e8d1da8 Compare June 11, 2024 17:43

l0kod force-pushed the tcp branch from e8d1da8 to d645052 Compare June 12, 2024 07:48

l0kod merged commit d645052 into landlock-lsm:main Jun 12, 2024
14 checks passed

l0kod deleted the tcp branch June 12, 2024 07:54

l0kod mentioned this pull request Jun 19, 2024

Bump to 0.4.0 #69

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add initial networking support #55

Add initial networking support #55

l0kod commented Jan 10, 2024

l0kod commented Jun 3, 2024

l0kod commented Jun 10, 2024 •

edited

Loading

l0kod commented Jun 12, 2024

l0kod commented Jun 19, 2024

Add initial networking support #55

Add initial networking support #55

Conversation

l0kod commented Jan 10, 2024

l0kod commented Jun 3, 2024

l0kod commented Jun 10, 2024 • edited Loading

l0kod commented Jun 12, 2024

l0kod commented Jun 19, 2024

l0kod commented Jun 10, 2024 •

edited

Loading